Strictly speaking, it includes physical protection for people, workers particularly, since we also constitute physical information assets - well most of us anyway (some are liabilities!). 'Health and safety' is, in a sense, part of information security, along with substantial parts of HR.

This very brief metrics discussion paper, written seven years ago, does not explore the entire scope of physical security but mentions just a few considerations around physical security targets and measurements. It was not one of our best efforts ... and yet it might just prompt you to think of something worth measuring in your situation.

I promise the quality of this series of papers improves as we head into 2015. Our understanding of metrics improved markedly as we did the thinking and research for the PRAGMATIC book, on top of which we revisited, updated and expanded on the older papers as we completed successive cycles of information security topics. Yes, I know it's "jam tomorrow" but stick with us and enjoy the journey.